This document is intended to describe Glewlwyd's core API endpoints. Glewlwyd's core API endpoints are used to manage core functionalities data.
- Endpoints authentication
- Prefix
- Content-type
- Error response
- Configuration
- Plugins and modules management
- Get all modules available
- Reload all modules
- Get all user module instances available
- Get a user module instance
- Add a new user module instance
- Update an existing user module instance
- Delete an existing user module instance
- Enable or disable an existing user module instance
- Get a user middleware module instance
- Add a new user middleware module instance
- Update an existing user middleware module instance
- Delete an existing user middleware module instance
- Enable or disable an existing user middleware module instance
- Get all client module instances available
- Get a client module instance
- Add a new client module instance
- Update an existing client module instance
- Delete an existing client module instance
- Enable or disable an existing client module instance
- Get all user auth scheme module instances available
- Get a user auth scheme module instance
- Add a new user auth scheme module instance
- Update an existing user auth scheme module instance
- Delete an existing user auth scheme module instance
- Enable or disable an existing user auth scheme module instance
- Get all plugin module instances available
- Get a plugin module instance
- Add a new plugin module instance
- Update an existing plugin module instance
- Delete an existing plugin module instance
- Enable or disable an existing plugin module instance
- Users management
- Clients management
- Scopes management
- API Keys management
- User authentication
- Grant scopes
- User profile
- Get list of connected profiles
- Update current profile
- Change user password for current profile
- Delete current profile
- Get list of plugins available
- Get sessions for current profile
- Disable a session for current profile
- Get list of schemes available
- Register an auth scheme for current profile
- Get registration on an auth scheme for current profile
- Profile delegation
- Update profile by delegation
- Get sessions for profile by delegation
- Disable a session for a profile by delegation
- Get list of plugins available by delegation
- Get list of schemes available by delegation
- Register an auth scheme for a profile by delegation
- Get registration on an auth scheme for a profile by delegation
- Authentication Scheme APIs
All the endpoints require proper authentication to provide their service. The authentication method used is a session cookie. For each endpoint, the scope required will be defined in the Security paragraph. The admin scope name is g_admin, the profile scope name is g_profile, but these values can be changed in the configuration file.
All URLs are based on the prefix you will setup. In this document, all endpoints will assume they use the prefix /api.
All request and response body use application/json content-type.
The HTTP status codes used are the following:
- 200 OK: no error
- 400 Invalid parameters: The user has sent invalid data. The details of all the errors may be present in the response body
- 401 Unauthorized: The user isn't authorized
- 403 Forbidden: The user isn't allowed
- 404 Not found: The specified resource doesn't exist
- 500 Server error: An error occurred on the server
This endpoint is the only one accessible directly from the root of the server.
/config
GET
Code 200
Content
{
"api_prefix": string, prefix to access the APIs
"admin_scope": string, name of the admin scope
"profile_scope": string, name of the profile scope
"delete_profile": string, "yes" if the user is allowed to delete its profile, "no" otherwise
}Example
{
"api_prefix":"api",
"admin_scope":"g_admin",
"profile_scope":"g_profile",
"delete_profile": "no"
}Return the list of all modules available for all types of modules
/api/mod/type/
GET
User with scope g_admin authorized or valid API key header.
Code 200
Content
{
user: [
name: string,
display_name: string
description: string
],
client: [
name: string,
display_name: string
description: string
],
scheme: [
name: string,
display_name: string
description: string
],
plugin: [
name: string,
display_name: string
description: string
]
}Example
{
"user":[
{
"name":"http",
"display_name":"HTTP auth backend user module",
"description":"Module to store users in the database"
},
{
"name":"mock",
"display_name":"Mock user module",
"description":"Mock user module for glewlwyd tests"
}
],
"client":[
{
"name":"mock",
"display_name":"Mock scheme module",
"description":"Mock scheme module for glewlwyd tests"
},
{
"name":"database",
"display_name":"Database backend client module",
"description":"Module to store clients in the database"
}
],
"scheme":[
{
"name":"mock",
"display_name":"Mock",
"description":"Mock scheme module for glewlwyd tests"
},
{
"name":"retype-password",
"display_name":"Short session password",
"description":"Glewlwyd authentification via user password with a short session duration"
}
],
"plugin":[
{
"name":"mock",
"display_name":"Mock plugin",
"description":"Mock plugin description"
},
{
"name":"oauth2-glewlwyd",
"display_name":"Glewlwyd OAuth2 plugin",
"description":"Plugin for legacy Glewlwyd OAuth2 workflow"
}
]
}Reload all the modules and instances, useful if you have multiple Glewlwyd instances connected to the same database
/api/mod/reload/
PUT
User with scope g_admin authorized or valid API key header.
Code 200
Return the list of all instances available for user modules
/api/mod/user/
GET
User with scope g_admin authorized or valid API key header.
Code 200
Content
[{
module: string, name of the module
name: string, name of the instance
display_name: string
parameters: object, parameters used for the initialization of this instance
order_rank: number
readonly: boolean
enabled: boolean
}]Example
[
{
"module":"mock",
"name":"mock",
"display_name":"Mock user module",
"order_rank":0,
"parameters":{
"username-prefix":"",
"password":"password"
},
"readonly":false,
"enabled":true
}
]Return the details of a user module instance
/api/mod/user/{name}
GET
User with scope g_admin authorized or valid API key header.
name: name of the instance
Code 200
Content
{
module: string, name of the module
name: string, name of the instance
display_name: string
parameters: object, parameters used for the initialization of this instance
order_rank: number
readonly: boolean
enabled: boolean
}Example
{
"module":"mock",
"name":"mock",
"display_name":"Mock user module",
"order_rank":0,
"parameters":{
"username-prefix":"",
"password":"password"
},
"readonly":false,
"enabled":true
}Code 404
Module not found
Add a new user module instance
/api/mod/user/
POST
User with scope g_admin authorized or valid API key header.
{
module: string, name of the module, must be an existing user module available
name: string, name of the instance, maximum 128 characters
display_name: string, long name of the instance, maximum 256 characters
parameters: object, parameters used for the initialization of this instance
order_rank: number, priority of this instance to get a user
readonly: boolean, set to true if the instance is in read only mode
}Code 200
Instance added
Code 400
Error input parameters
Content
A JSON array with the error messages
/api/mod/user/{name}
PUT
User with scope g_admin authorized or valid API key header.
name: name of the instance
{
display_name: string, long name of the instance, maximum 256 characters
parameters: object, parameters used for the initialization of this instance
order_rank: number, priority of this instance to get a user
readonly: boolean, set to true if the instance is in read only mode
}Code 200
Instance updated
Code 404
Instance not found
Code 400
Error input parameters
Content
A JSON array with the error messages
/api/mod/user/{name}
DELETE
User with scope g_admin authorized or valid API key header.
name: name of the instance
Code 200
Instance removed
Code 404
Instance not found
/api/mod/user/{name}/{action}
PUT
User with scope g_admin authorized or valid API key header.
name: name of the instance
action: either enable or disable or reset
Code 200
Action executed
Code 404
Instance not found
Return the list of all instances available for user middleware modules
/api/mod/user_middleware/
GET
User with scope g_admin authorized or valid API key header.
Code 200
Content
[{
module: string, name of the module
name: string, name of the instance
display_name: string
parameters: object, parameters used for the initialization of this instance
order_rank: number
enabled: boolean
}]Example
[
{
"module":"mock",
"name":"mock",
"display_name":"Mock user middleware module",
"order_rank":0,
"parameters":{
"username-prefix":"",
"password":"password"
},
"enabled":true
}
]Return the details of a user middleware module instance
/api/mod/user_middleware/{name}
GET
User with scope g_admin authorized or valid API key header.
name: name of the instance
Code 200
Content
{
module: string, name of the module
name: string, name of the instance
display_name: string
parameters: object, parameters used for the initialization of this instance
order_rank: number
enabled: boolean
}Example
{
"module":"mock",
"name":"mock",
"display_name":"Mock user module",
"order_rank":0,
"parameters":{
"username-prefix":"",
"password":"password"
},
"enabled":true
}Code 404
Module not found
Add a new user middleware module instance
/api/mod/user_middleware/
POST
User with scope g_admin authorized or valid API key header.
{
module: string, name of the module, must be an existing user module available
name: string, name of the instance, maximum 128 characters
display_name: string, long name of the instance, maximum 256 characters
parameters: object, parameters used for the initialization of this instance
order_rank: number, priority of this instance to get a user
}Code 200
Instance added
Code 400
Error input parameters
Content
A JSON array with the error messages
/api/mod/user_middleware/{name}
PUT
User with scope g_admin authorized or valid API key header.
name: name of the instance
{
display_name: string, long name of the instance, maximum 256 characters
parameters: object, parameters used for the initialization of this instance
order_rank: number, priority of this instance to get a user
}Code 200
Instance updated
Code 404
Instance not found
Code 400
Error input parameters
Content
A JSON array with the error messages
/api/mod/user_middleware/{name}
DELETE
User with scope g_admin authorized or valid API key header.
name: name of the instance
Code 200
Instance removed
Code 404
Instance not found
/api/mod/user_middleware/{name}/{action}
PUT
User with scope g_admin authorized or valid API key header.
name: name of the instance
action: either enable or disable or reset
Code 200
Action executed
Code 404
Instance not found
Return the list of all instances available for client modules
/api/mod/client/
GET
User with scope g_admin authorized or valid API key header.
Code 200
Content
[{
module: string, name of the module
name: string, name of the instance
display_name: string
parameters: object, parameters used for the initialization of this instance
order_rank: number
readonly: boolean
enabled: boolean
}]Example
[
{
"module":"mock",
"name":"mock",
"display_name":"Mock client module",
"order_rank":0,
"parameters":{
"username-prefix":"",
"password":"password"
},
"readonly":false,
"enabled":true
}
]Return the details of a client module instance
/api/mod/client/{name}
GET
User with scope g_admin authorized or valid API key header.
name: name of the instance
Code 200
Content
{
module: string, name of the module
name: string, name of the instance
display_name: string
parameters: object, parameters used for the initialization of this instance
order_rank: number
readonly: boolean
enabled: boolean
}Example
{
"module":"mock",
"name":"mock",
"display_name":"Mock client module",
"order_rank":0,
"parameters":{
"username-prefix":"",
"password":"password"
},
"readonly":false,
"enabled":true
}Code 404
Module not found
Add a new client module instance
/api/mod/client/
POST
User with scope g_admin authorized or valid API key header.
{
module: string, name of the module, must be an existing client module available
name: string, name of the instance, maximum 128 characters
display_name: string, long name of the instance, maximum 256 characters
parameters: object, parameters used for the initialization of this instance
order_rank: number, priority of this instance to get a client
readonly: boolean, set to true if the instance is in read only mode
}Code 200
Instance added
Code 400
Error input parameters
Content
A JSON array with the error messages
/api/mod/client/{name}
PUT
User with scope g_admin authorized or valid API key header.
name: name of the instance
{
display_name: string, long name of the instance, maximum 256 characters
parameters: object, parameters used for the initialization of this instance
order_rank: number, priority of this instance to get a client
readonly: boolean, set to true if the instance is in read only mode
}Code 200
Instance updated
Code 404
Instance not found
Code 400
Error input parameters
Content
A JSON array with the error messages
/api/mod/client/{name}
DELETE
User with scope g_admin authorized or valid API key header.
name: name of the instance
Code 200
Instance removed
Code 404
Instance not found
/api/mod/client/{name}/{action}
PUT
User with scope g_admin authorized or valid API key header.
name: name of the instance
action: either enable or disable or reset
Code 200
Action executed
Code 404
Instance not found
Return the list of all instances available for user auth scheme modules
/api/mod/scheme/
GET
user with scope g_admin authorized.
Code 200
Content
[{
module: string, name of the module
name: string, name of the instance
display_name: string
parameters: object, parameters used for the initialization of this instance
enabled: boolean
}]Example
[
{
"module":"mock",
"name":"mock_scheme_42",
"display_name":"Mock 42",
"expiration":600,
"max_use":0,
"parameters":{
"mock-value":"42"
},
"allow_user_register":true,
"enabled":true
}
]Return the details of a user auth scheme module instance
/api/mod/scheme/{name}
GET
user with scope g_admin authorized.
name: name of the instance
Code 200
Content
{
module: string, name of the module
name: string, name of the instance
display_name: string
parameters: object, parameters used for the initialization of this instance
enabled: boolean
}Example
{
"module":"mock",
"name":"mock_scheme_42",
"display_name":"Mock 42",
"expiration":600,
"max_use":0,
"parameters":{
"mock-value":"42"
},
"allow_user_register":true,
"enabled":true
}Code 404
Module not found
Add a new user auth scheme module instance
/api/mod/scheme/
POST
user with scope g_admin authorized.
{
module: string, name of the module, must be an existing user auth scheme module available
name: string, name of the instance, maximum 128 characters
display_name: string, long name of the instance, maximum 256 characters
duration: number, duration of the scheme authentication in seconds
max_use: number, maximum use of the scheme authentication per session
parameters: object, parameters used for the initialization of this instance
}Code 200
Instance added
Code 400
Error input parameters
Content
A JSON array with the error messages
/api/mod/scheme/{name}
PUT
user with scope g_admin authorized.
name: name of the instance
{
display_name: string, long name of the instance, maximum 256 characters
duration: number, duration of the scheme authentication in seconds
max_use: number, maximum use of the scheme authentication per session
parameters: object, parameters used for the initialization of this instance
}Code 200
Instance updated
Code 404
Instance not found
Code 400
Error input parameters
Content
A JSON array with the error messages
/api/mod/scheme/{name}
DELETE
user with scope g_admin authorized.
name: name of the instance
Code 200
Instance removed
Code 404
Instance not found
/api/mod/scheme/{name}/{action}
PUT
user with scope g_admin authorized.
name: name of the instance
action: either enable or disable or reset
Code 200
Action executed
Code 404
Instance not found
Return the list of all instances available for plugin modules
/api/mod/plugin/
GET
User with scope g_admin authorized or valid API key header.
Code 200
Content
[{
module: string, name of the module
name: string, name of the instance
display_name: string
parameters: object, parameters used for the initialization of this instance
order_rank: number
readonly: boolean
enabled: boolean
}]Example
[
{
"module":"oauth2-glewlwyd",
"name":"glwd",
"display_name":"OAuth2 Glewlwyd plugin",
"parameters":{
"jwt-type":"sha",
"jwt-key-size":"256",
"key":"secret",
"access-token-duration":3600,
"refresh-token-duration":1209600,
"code-duration":600,
"refresh-token-rolling":true,
"auth-type-code-enabled":true,
"auth-type-implicit-enabled":true,
"auth-type-password-enabled":true,
"auth-type-client-enabled":true,
"auth-type-refresh-enabled":true,
"scope":[
{
"name":"g_profile",
"refresh-token-rolling":true
},
{
"name":"scope1",
"refresh-token-rolling":true
},
{
"name":"scope2",
"refresh-token-rolling":false,
"refresh-token-duration":7200
}
]
},
"enabled":true
}
]Return the details of a plugin module instance
/api/mod/plugin/{name}
GET
User with scope g_admin authorized or valid API key header.
name: name of the instance
Code 200
Content
{
module: string, name of the module
name: string, name of the instance
display_name: string
parameters: object, parameters used for the initialization of this instance
order_rank: number
readonly: boolean
enabled: boolean
}Example
{
"module":"oauth2-glewlwyd",
"name":"glwd",
"display_name":"OAuth2 Glewlwyd plugin",
"parameters":{
"jwt-type":"sha",
"jwt-key-size":"256",
"key":"secret",
"access-token-duration":3600,
"refresh-token-duration":1209600,
"code-duration":600,
"refresh-token-rolling":true,
"auth-type-code-enabled":true,
"auth-type-implicit-enabled":true,
"auth-type-password-enabled":true,
"auth-type-client-enabled":true,
"auth-type-refresh-enabled":true,
"scope":[
{
"name":"g_profile",
"refresh-token-rolling":true
},
{
"name":"scope1",
"refresh-token-rolling":true
},
{
"name":"scope2",
"refresh-token-rolling":false,
"refresh-token-duration":7200
}
]
},
"enabled":true
}Code 404
Module not found
Add a new plugin module instance
/api/mod/plugin/
POST
User with scope g_admin authorized or valid API key header.
{
module: string, name of the module, must be an existing plugin module available
name: string, name of the instance, maximum 128 characters
display_name: string, long name of the instance, maximum 256 characters
parameters: object, parameters used for the initialization of this instance
order_rank: number, priority of this instance to get a plugin
readonly: boolean, set to true if the instance is in read only mode
}Code 200
Instance added
Code 400
Error input parameters
Content
A JSON array with the error messages
/api/mod/plugin/{name}
PUT
User with scope g_admin authorized or valid API key header.
name: name of the instance
{
display_name: string, long name of the instance, maximum 256 characters
parameters: object, parameters used for the initialization of this instance
order_rank: number, priority of this instance to get a plugin
readonly: boolean, set to true if the instance is in read only mode
}Code 200
Instance updated
Code 404
Instance not found
Code 400
Error input parameters
Content
A JSON array with the error messages
/api/mod/plugin/{name}
DELETE
User with scope g_admin authorized or valid API key header.
name: name of the instance
Code 200
Instance removed
Code 404
Instance not found
/api/mod/plugin/{name}/{action}
PUT
User with scope g_admin authorized or valid API key header.
name: name of the instance
action: either enable or disable or reset
Code 200
Action executed
Code 404
Instance not found
Return a list of users available
/api/user/
GET
User with scope g_admin authorized or valid API key header.
offset: number, the offset to start the list, default 0
limit: number, the maximal number of elements in the list, default 100
source: string, the instance name to limit the result, if not set, all instances will be used
pattern: string, the pattern to filter the result
Code 200
Content
[{
username: string, mandatory
scope:[
scope_value: string, mandatory, array can be empty
],
enabled: boolean, mandatory
name: string, optional
email: string, optional
other values: string or array of strings, optional, depends on what's returned by the module instance
}]Example
[
{
username: "user1",
scope: [
"g_profile",
"scope1",
"scope2"
],
enabled: true,
name: "Dave Lopper",
email: "user1@glewlwyd",
alias: [
"dev",
"plop"
]
},
{
username: "user2",
scope: [
"g_profile"
],
enabled: true,
name: "Dave Lopper 2",
email: "user2@glewlwyd"
}
]Return the details of a plugin module instance
/api/user/{username}
GET
User with scope g_admin authorized or valid API key header.
username: username to return, mandatory
source: user module instance to look for the user, optional, if not set look on all instances
Code 200
Content
{
username: string, mandatory
scope:[
scope_value: string, mandatory, array can be empty
],
enabled: boolean, mandatory
name: string, optional
email: string, optional
other values: string or array of strings, optional, depends on what's returned by the module instance
}Example
{
username: "user1",
scope: [
"g_profile",
"scope1",
"scope2"
],
enabled: true,
name: "Dave Lopper",
email: "user1@glewlwyd",
alias: [
"dev",
"plop"
]
}Code 404
User not found
/api/user/
POST
User with scope g_admin authorized or valid API key header.
source: user module instance to look for the user, optional, if not set, the first instance in write mode in order rank will host the new user
{
username: string, mandatory
scope:[
scope_value: string, mandatory, array can be empty
],
password: string, optional, if not set, the user won't be able to authenticate
enabled: boolean, optional, default true
name: string, optional
email: string, optional
other values: string or array of strings, optional, depends on the module instance
}Code 200
User added
Code 400
Error input parameters
Content
A JSON array with the error messages
/api/user/{username}
PUT
User with scope g_admin authorized or valid API key header.
username: username of the user to update
source: user module instance to look for the user, optional, if not set look on all instances
{
username: string, mandatory
scope:[
scope_value: string, mandatory, array can be empty
],
enabled: boolean, optional, default true
name: string, optional
email: string, optional
other values: string or array of strings, optional, depends on the module instance
}Code 200
User updated
Code 404
User not found
Code 400
Error input parameters
Content
A JSON array with the error messages
/api/user/{username}
DELETE
User with scope g_admin authorized or valid API key header.
username: username of the user to delete
Code 200
User removed
Code 404
User not found
Return a list of clients available
/api/client/
GET
User with scope g_admin authorized or valid API key header.
offset: number, the offset to start the list, default 0
limit: number, the maximal number of elements in the list, default 100
source: string, the instance name to limit the result, if not set, all instances will be used
pattern: string, the pattern to filter the result
Code 200
Content
[{
client_id: string, mandatory
scope:[
scope_value: string, mandatory, array can be empty
],
enabled: boolean, mandatory
name: string, optional
description: string, optional
confidential: boolean, optional
other values: string or array of strings, optional, depends on what's returned by the module instance
}]Example
[
{
client_id: "client1",
scope: [
"scope1",
"scope2"
],
enabled: true,
name: "First client",
confidential: true,
redirect_uri: [
"http://example.com/"
]
},
{
client_id: "client2",
scope: [
"scope1"
],
enabled: true,
name: "Second client",
confidential: false,
redirect_uri: [
"http://another.example.com"
]
}
]Return the details of a plugin module instance
/api/client/{client_id}
GET
User with scope g_admin authorized or valid API key header.
client_id: client_id to return, mandatory
source: client module instance to look for the client, optional, if not set look on all instances
Code 200
Content
{
client_id: string, mandatory
scope:[
scope_value: string, mandatory, array can be empty
],
enabled: boolean, mandatory
name: string, optional
description: string, optional
confidential: boolean, optional
other values: string or array of strings, optional, depends on what's returned by the module instance
}Example
{
client_id: "client1",
scope: [
"scope1",
"scope2"
],
enabled: true,
name: "First client",
confidential: true,
redirect_uri: [
"http://example.com/"
]
}Code 404
Client not found
/api/client/
POST
User with scope g_admin authorized or valid API key header.
source: client module instance to look for the client, optional, if not set, the first instance in write mode in order rank will host the new client
{
client_id: string, mandatory
scope:[
scope_value: string, mandatory, array can be empty
],
password: string, optional, if not set, the client won't be able to authenticate
enabled: boolean, optional, default true
name: string, optional
description: string, optional
other values: string or array of strings, optional, depends on the module instance
}Code 200
Client added
Code 400
Error input parameters
Content
A JSON array with the error messages
/api/client/{client_id}
PUT
User with scope g_admin authorized or valid API key header.
client_id: client_id of the client to update
source: client module instance to look for the client, optional, if not set look on all instances
{
client_id: string, mandatory
scope:[
scope_value: string, mandatory, array can be empty
],
password: string, optional, if not set, the client won't be able to authenticate
enabled: boolean, optional, default true
name: string, optional
description: string, optional
other values: string or array of strings, optional, depends on the module instance
}Code 200
Client updated
Code 404
Client not found
Code 400
Error input parameters
Content
A JSON array with the error messages
/api/client/{client_id}
DELETE
User with scope g_admin authorized or valid API key header.
client_id: client_id of the client to delete
Code 200
Client removed
Code 404
Client not found
Return a list of scopes available
/api/scope/
GET
User with scope g_admin authorized or valid API key header.
offset: number, the offset to start the list, default 0
limit: number, the maximal number of elements in the list, default 100, if limit is explicitly set to 0, no limit
source: string, the instance name to limit the result, if not set, all instances will be used
pattern: string, the pattern to filter the result
Code 200
Content
[{
name: string, mandatory
display_name: string, mandatory
description: string, mandatory
password_required: boolean, mandatory
scheme: {
group_name: [
{
scheme_type: module type, string, mandatory
scheme_name: module name, string, mandatory
scheme_display_name: module display name, string, mandatory
}
]
}
}]Example
[
{
name: "scope1",
display_name: "First scope",
description: "The first scope",
password_required: true,
scheme: {
group1: [
{
scheme_type: "mock",
scheme_name: "mock1",
scheme_display_name: "First mock scheme"
},
{
scheme_type: "mock",
scheme_name: "mock2",
scheme_display_name: "Second mock scheme"
}
]
}
},
{
name: "scope2",
scope: [
"scope1"
],
enabled: true,
name: "Second scope",
confidential: false,
redirect_uri: [
"http://another.example.com"
]
}
]Return the details of a plugin module instance
/api/scope/{name}
GET
User with scope g_admin authorized or valid API key header.
name: name to return, mandatory
source: scope module instance to look for the scope, optional, if not set look on all instances
Code 200
Content
{
name: string, mandatory
scope:[
scope_value: string, mandatory, array can be empty
],
enabled: boolean, mandatory
name: string, optional
description: string, optional
confidential: boolean, optional
other values: string or array of strings, optional, depends on what's returned by the module instance
}Example
{
name: "scope1",
scope: [
"scope1",
"scope2"
],
enabled: true,
name: "First scope",
confidential: true,
redirect_uri: [
"http://example.com/"
]
}Code 404
Scope not found
/api/scope/
POST
User with scope g_admin authorized or valid API key header.
source: scope module instance to look for the scope, optional, if not set, the first instance in write mode in order rank will host the new scope
{
name: string, mandatory
scope:[
scope_value: string, mandatory, array can be empty
],
password: string, optional, if not set, the scope won't be able to authenticate
enabled: boolean, optional, default true
name: string, optional
description: string, optional
other values: string or array of strings, optional, depends on the module instance
}Code 200
Scope added
Code 400
Error input parameters
Content
A JSON array with the error messages
/api/scope/{name}
PUT
User with scope g_admin authorized or valid API key header.
name: name of the scope to update
source: scope module instance to look for the scope, optional, if not set look on all instances
{
name: string, mandatory
scope:[
scope_value: string, mandatory, array can be empty
],
password: string, optional, if not set, the scope won't be able to authenticate
enabled: boolean, optional, default true
name: string, optional
description: string, optional
other values: string or array of strings, optional, depends on the module instance
}Code 200
Scope updated
Code 404
Scope not found
Code 400
Error input parameters
Content
A JSON array with the error messages
/api/scope/{name}
DELETE
User with scope g_admin authorized or valid API key header.
name: name of the scope to delete
Code 200
Scope removed
Code 404
Scope not found
Return a list of API keys available
/api/key/
GET
User with scope g_admin authorized.
offset: number, the offset to start the list, default 0
limit: number, the maximal number of elements in the list, default 100, if limit is explicitly set to 0, no limit
source: string, the instance name to limit the result, if not set, all instances will be used
pattern: string, the pattern to filter the result
Code 200
Content
[{
token_hash: string, mandatory
counter: integer, mandatory
username: string, mandatory
issued_at: integer, mandatory
issued_for: string, mandatory
user_agent: string, mandatory
enabled: boolean, mandatory
}]Example
[
{
"token_hash":"{SHA512}SDb_4UvKcD_4[...]9xSVRunzcJg==",
"counter":42,
"username":"admin",
"issued_at":735700882,
"issued_for":"1.2.3.4",
"user_agent":"NCSA_Mosaic/2.0 (Windows 3.1)","enabled":true
},
{
"token_hash":"{SHA512}BOw-ad5HskG11[...]N90_LUcuDnkxdRI5TN_w==",
"counter":15,
"username":"operator",
"issued_at":1466571360,
"issued_for":"4.3.2.1",
"user_agent":"Lynx/2.8.9rel.1 libwww-FM/2.14 SSL-MM/1.4.1 GNUTLS/3.6.5",
"enabled":false
},
{
"token_hash":"{SHA512}_pkJyrClgz66[...]aIgWl8X8L4r0DwG3A==",
"counter":0,
"username":"admin",
"issued_at":1600774400,
"issued_for":"6.6.6.6",
"user_agent":"curl/7.20.0 (x86_64-redhat-linux-gnu) libcurl/7.20.0 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5",
"enabled":true
}
]/api/key/
POST
User with scope g_admin authorized.
Code 200
Content
{
key: string, mandatory
}Example
{
key: "abcdEFGH1234"
}/api/key/{token_hash}
DELETE
token_hash: identifier of the token to disable
User with scope g_admin authorized.
Code 200
/api/auth
POST
{
username: string, mandatory
password: string, mandatory
}Code 200
User authenticated.
A session cookie is sent to the browser. This cookie will be used by all endpoints that require authentication.
Code 400
Error input parameters
Code 401
Authentication failure
/api/auth
POST
{
username: string, optional for schemes mock, OAuth2 and TLS certificate with scheme storage option, mandatory otherwise
scheme_type: string, mandatory
scheme_name: string: mandatory
value: object, mandatory, content depends on the scheme
}Code 200
User authenticated
A session cookie is sent to the browser. This cookie will be used by all endpoints that require authentication.
Code 400
Error input parameters
Code 401
Authentication failure
/auth/scheme/
GET
Valid user session.
scope: list of scopes requested, separated by spaces
Code 200
Content
{
"scope_name": { // Name of the scope
"password_required": boolean, wether the password is required to access this scope
"schemes":{
"group_name": [
{
"scheme_type": string, module name of the scheme
"scheme_name": string, module instance name
"scheme_display_name": string, mudule instance display name
"scheme_authenticated": boolean, wether this scheme is authenticated for this user on this session
"scheme_registered": boolean wether this scheme is registered for this user
}
]
},
"display_name": string, display name of the scope
"description":string, description of the scope
"password_authenticated": boolean, wether this scope is authenticated for this user on this session
"available": boolean, wether this scope is available for this user
}
}Code 400
Error input parameters
Code 401
Authentication failure
/api/auth/scheme/trigger
POST
{
username: string, optional for schemes mock, OAuth2 and TLS certificate with scheme storage option, mandatory otherwise
scheme_type: string, mandatory
scheme_name: string: mandatory
value: object, mandatory, content depends on the scheme
}Code 200
User authenticated
Code 400
Error input parameters
Code 401
Authentication failure
/api/auth
POST
{
username: string, mandatory
}Code 200
Current user changed
Code 400
Error input parameters
Code 401
Authentication failure
/api/auth/grant/{client_id}/{scope_list}
GET
User with scope g_profile authorized.
client_id: client_id of the client
scope_list: list of scopes separated by a space
Code 200
Content
{
"client":{
"client_id": string, client_id
"name": string, client name
},
"scope":[
{
"name": string, scope name
"display_name": string, scope display name
"description": string, scope description
"password_required": boolean, wether this scope has password required to login
"granted": boolean, wether this scope is granted to this client by this user
}
]
}Code 401
No enabled authenticated user for this session
/auth/grant/{client_id}/
PUT
User with scope g_profile authorized.
{
"scope": string, scope list granted to this client separated by a comma, set the list empty to remove all grant
}Code 200
User updated
Code 400
Error input parameters
Content
A JSON array with the error messages
The first element in the returned array is the current user
/api/profile_list
GET
User with scope g_profile authorized.
Code 200
Content
[
{
username: string, mandatory
scope:[
scope_value: string, mandatory, array can be empty
],
name: string, optional
email: string, optional
other values: string or array of strings, optional, depends on what's returned by the module instance for the profile
}
]Code 401
No enabled authenticated user for this session
/api/profile
PUT
User with scope g_profile authorized.
{
username: string, mandatory
name: string, optional
other values: string or array of strings, optional, depends on what's exptected by the module instance for the profile
}Code 200
User updated
Code 400
Error input parameters
Content
A JSON array with the error messages
/api/profile/password
PUT
User with scope g_profile authorized.
{
username: string, mandatory, same username as current user
old_password: string, mandatory
password: string, mandatory
}Code 200
User password updated
Code 400
Error input parameters
Content
A JSON array with the error messages
/api/profile/
DELETE
User with scope g_profile authorized.
Code 200
Profile successfully removed
Code 403
The user is not allowed to remove its own profile.
/api/profile/plugin
GET
User with scope g_profile authorized.
Code 200
Content
[
{
"module": string, plugin type
"name": string, plugin instance name
"display_name": string, plugin instance display name
}
]Code 401
No enabled authenticated user for this session
/api/profile/grant
GET
User with scope g_profile authorized.
Code 200
Content
[
{
"client_id": string, client_id of the client
"name": string, client name
"description": string, client description
"scope": [
{
"name": string, name of the scope
"display_name": string, display name of the scope
"description": string, description of the scope
}
]
}
]Code 401
No enabled authenticated user for this session
/api/profile/session
GET
User with scope g_profile authorized.
Code 200
Content
[
{
session_hash: string,
user_agent: string,
issued_for: string,
expiration: string,
last_login: string,
enabled: string
}
]Code 401
No enabled authenticated user for this session
/api/profile/session/{session_hash}
DELETE
User with scope g_profile authorized.
Code 200
Session disabled
Code 401
No enabled authenticated user for this session
/api/profile/scheme
GET
User with scope g_profile authorized.
Code 200
Content
[
{
"module": string, module name of the scheme
"name": string, module instance name
"display_name": string, module instance display name
"expiration": number, duration of an authentication with this scheme
"max_use": number, number of thime this scheme authenticated can be used in a plugin
"allow_user_register": boolean, wether the user can register this scheme
"enabled": boolean
}
]Code 401
No enabled authenticated user for this session
/api/profile/scheme/register/
POST
User with scope g_profile authorized.
{
username: string, mandatory
scheme_type: string, mandatory
scheme_name: string: mandatory
value: object, mandatory, content depends on the scheme
}Code 200
Scheme registered
Code 400
Error input parameters
Content
A JSON array with the error messages
Code 401
No enabled authenticated user for this session
/api/profile/scheme/register/
PUT
User with scope g_profile authorized.
{
username: string, mandatory
scheme_type: string, mandatory
scheme_name: string: mandatory
}Code 200
Content
Depends on the scheme
Code 400
Error input parameters
Content
A JSON array with the error messages
Code 401
No enabled authenticated user for this session
All those endpoints are available for an administrator in order to access and update a user's profile and its schemes registration
/api/delegate/profile?username=<username>
PUT
Admin with scope g_admin authorized.
{
username: string, mandatory
name: string, optional
other values: string or array of strings, optional, depends on what's exptected by the module instance for the profile
}Code 200
User updated
Code 400
Error input parameters
Content
A JSON array with the error messages
/api/delegate/profile/session?username=<username>
GET
User with scope g_admin authorized or valid API key header.
Code 200
Content
[
{
session_hash: string,
user_agent: string,
issued_for: string,
expiration: string,
last_login: string,
enabled: string
}
]Code 401
No enabled authenticated admin for this session
/api/delegate/profile/session/{session_hash}?username=<username>
DELETE
User with scope g_admin authorized or valid API key header.
Code 200
Session disabled
Code 401
No enabled authenticated user for this session
/api/delegate/profile/plugin?username=<username>
GET
User with scope g_admin authorized or valid API key header.
Code 200
Content
[
{
"module": string, plugin type
"name": string, plugin instance name
"display_name": string, plugin instance display name
}
]Code 401
No enabled authenticated user for this session
/api/delegate/profile/scheme?username=<username>
GET
User with scope g_admin authorized or valid API key header.
Code 200
Content
[
{
"module": string, module name of the scheme
"name": string, module instance name
"display_name": string, module instance display name
"expiration": number, duration of an authentication with this scheme
"max_use": number, number of thime this scheme authenticated can be used in a plugin
"allow_user_register": boolean, wether the user can register this scheme
"enabled": boolean
}
]Code 401
No enabled authenticated user for this session
/api/delegate/profile/scheme/register/?username=<username>
POST
User with scope g_admin authorized or valid API key header.
{
username: string, mandatory
scheme_type: string, mandatory
scheme_name: string: mandatory
value: object, mandatory, content depends on the scheme
}Code 200
Scheme registered
Code 400
Error input parameters
Content
A JSON array with the error messages
Code 401
No enabled authenticated user for this session
/api/delegate/profile/scheme/register/?username=<username>
PUT
User with scope g_admin authorized or valid API key header.
{
username: string, mandatory
scheme_type: string, mandatory
scheme_name: string: mandatory
}Code 200
Content
Depends on the scheme
Code 400
Error input parameters
Content
A JSON array with the error messages
Code 401
No enabled authenticated user for this session
This chapter will describe the specific parameters for the authentication schemes.
The following APIs will be further explained for each scheme:
- Register scheme:
POST/api/profile/scheme/register/ - Get scheme registration:
PUT/api/profile/scheme/register/ - Trigger scheme:
POST/api/auth/scheme/trigger - Authentication using scheme:
POST/api/auth
For each APIs, the request and/or response body format will be described. This documentation is an addendum to the generic API documentation above.
This scheme exist for tests use only, it simply is an authentication scheme that will behave as a normal scheme and implements all the functions to help designing and programming Glewlwyd.
{
username: string, mandatory
scheme_type: "mock"
scheme_name: string: mandatory
value: {
register: boolean, mandatory
}
}Set the parameter value.register to true or false to enable or disable the scheme for the user.
{
username: string, mandatory
scheme_type: "mock"
scheme_name: string: mandatory
}booleanThe response value will be true or false depending on the scheme registration status.
{
username: string, mandatory
scheme_type: "mock"
scheme_name: string: mandatory
value: {} empty object, mandatory
}{
code: string, will contain the mock value expected to authenticate the user
}{
username: string, optional
scheme_type: "mock"
scheme_name: string: mandatory
value: {
username: string, mandatory if omitted below
code: string, mandatory
}
}This authentication scheme sends an one-time password to the e-mail of the user and awaits for the user to retype the password in the login page. Therefore, no registration is possible for the user, and the get registration API will return a HTTP status 200 if the user has an e-mail address and 400 otherwise.
{
username: string, mandatory
scheme_type: "email"
scheme_name: string: mandatory
value: {} empty object, mandatory
}{
username: string, mandatory
scheme_type: "email"
scheme_name: string: mandatory
value: {
code: string, mandatory
}
}Request a random secret for a new OTP to the server. The random secret will be returned in a base32 string format.
{
username: string, mandatory
scheme_type: "otp"
scheme_name: string: mandatory
value: {
generate-secret: true
}
}Delete current OTP setting for the current user
{
username: string, mandatory
scheme_type: "otp"
scheme_name: string: mandatory
value: {
type: "NONE"
}
}Setup current OTP setting as HOTP
{
username: string, mandatory
scheme_type: "otp"
scheme_name: string: mandatory
value: {
type: "HOTP"
secret: base32 string, mandatory
moving_factor: positive integer, optional
}
}Setup current OTP setting as TOTP
{
username: string, mandatory
scheme_type: "otp"
scheme_name: string: mandatory
value: {
type: "TOTP"
secret: base32 string, mandatory
time_step_size: non zero positive integer, optional
}
}{
username: string, mandatory
scheme_type: "otp"
scheme_name: string: mandatory
}{
digits: integer, number of digits required on the authentication code
issuer: string, will contain the issuer value (a metadata)
hotp-allow: boolean, set to true if the user is allowed to register a HOTP
totp-allow: boolean, set to true if the user is allowed to register a TOTP
type: string, will contain one of the following values: "NONE", "HOTP" or "TOTP"
secret: string, secret registered if a scheme is registered
moving_factor: integer
time_step_size: integer
}Example, for a TOTP registration:
{
digits: 6,
issuer: "https://glewlwyd.tld",
hotp-allow: true,
totp-allow: true,
type: "TOTP",
secret: "abcd1234===",
moving_factor: 0
time_step_size: 30
}N/A
{
username: string, mandatory
scheme_type: "otp"
scheme_name: string: mandatory
value: {
value: string, mandatory
}
}This authentication scheme simply uses the password field of the user - if it's possible - therefore, this scheme simply has an authentication API implemented
N/A
N/A
N/A
{
username: string, mandatory
scheme_type: "otp"
scheme_name: string: mandatory
value: {
password: string, mandatory
}
}This scheme is based on the WebAuthn API.
{
username: string, mandatory
scheme_type: "webauthn"
scheme_name: string: mandatory
value: {
register: string, values available are "new-credential", "register-credential", "remove-credential", "disable-credential", "enable-credential", "edit-credential", "trigger-assertion" or "validate-assertion"
// Other values depending on the register value
}
}- Request body format for
register: "new-credential"
{
username: string, mandatory
scheme_type: "webauthn"
scheme_name: string: mandatory
value: {
register: "new-credential"
}
}- Response body format for
register: "new-credential"
{
session: string
challenge: string
pubKey-cred-params: array of string, list of public key formats accepted
attestation-required: boolean, set to false if scheme accepts fmt type "none"
user: {
id: string
name: string
}
rpId: string, relaying part id
}- Request body format for
register: "register-credential"
{
username: string, mandatory
scheme_type: "webauthn"
scheme_name: string: mandatory
value: {
register: "register-credential",
session: string, must be the session id sent in the previous "register-credential"
credential: { // The credential object is returned by the WebAuthn API call `navigator.credentials.create` in the profile page
rawId: string
response: {
clientDataJSON: string
attestationObject: string
}
}
}
}- Response body format for
register: "register-credential"
HTTP Status 200 on success, 401 on error registration, 400 on error parameters, 404 on error in the session id, 500 otherwise
- Request body format for
register: "remove-credential",register: "disable-credential",register: "enable-credential"
{
username: string, mandatory
scheme_type: "webauthn"
scheme_name: string: mandatory
value: {
register: "remove-credential" || "disable-credential" || enable-credential",
credential_id: string, must a valid `credential_id` returned by the get_gegister API
}
}- Response body format for
register: "register-credential"
HTTP Status 200 on success, 400 on error parameters, 404 on error in the credential_id, 500 otherwise
- Request body format for
register: "trigger-assertion"
{
username: string, mandatory
scheme_type: "webauthn"
scheme_name: string: mandatory
value: {
register: "trigger-assertion"
}
}- Response body format for
register: "trigger-assertion"
{
allowCredentials: array of strings, list of credentials accepted for the user
session: string
challenge: string
user: {
id: string
name: string
}
rpId: string, relaying part id
}- Request body format for
register: "validate-assertion"
{
username: string, mandatory
scheme_type: "webauthn"
scheme_name: string: mandatory
value: {
register: "validate-assertion",
session: string, must be the session id sent in the previous "register-credential"
credential: { // The credential object is returned by the WebAuthn API call `navigator.credentials.get` in the profile page
rawId: string
response: {
clientDataJSON: string
authenticatorData: string
}
}
}
}- Response body format for
register: "register-credential"
HTTP Status 200 on success, 401 on error registration, 400 on error parameters, 404 on error in the session id, 500 otherwise
[
{
credential_id: string, identifier of the credential
name: string, display name of the credential
created_at: integer, UNIX epoch time where the credential was created
status: string, status of the credential, values available are "registered" or "disabled"
}
]{
username: string, mandatory
scheme_type: "webauthn"
scheme_name: string: mandatory
value: {}
}{
allowCredentials: array of strings, list of credentials accepted for the user, can be a fake list depending on the scheme configuration and the username requested
session: string
challenge: string
user: {
id: string
name: string
}
rpId: string, relaying part id
}{
username: string, mandatory
scheme_type: "webauthn"
scheme_name: string: mandatory
value: {
register: "validate-assertion",
session: string, must be the session id sent in the previous "register-credential"
credential: { // The credential object is returned by the WebAuthn API call `navigator.credentials.get` in the profile page
rawId: string
response: {
clientDataJSON: string
authenticatorData: string
}
}
}
}This authentication scheme is based on TLS certificate authentication. The first level of authentication is provided by the TLS layer deep down the application, therefore a user can't authenticate with an invalid certificate or a certificate not provided by the configured CA. The scheme module is used to integrate the auth result in Glewlwyd's authentication process with the session, and is also used to manage registered certificates and emit new certificates if possible.
To successfully authenticate a user in Glewlwyd's process using the TLS certificate, the used certificate must be valid for the TLS layer AND must be previously registered in the user's authorized certificate list.
{
username: string, mandatory
scheme_type: "certificate"
scheme_name: string: mandatory
value: {
register: string, values available are "test-certificate", "upload-certificate", "use-certificate", "request-certificate", "toggle-certificate" or "delete-certificate"
// Other values depending on the register value
}
}- Request body format for
register: "test-certificate"
{
username: string, mandatory
scheme_type: "certificate"
scheme_name: string: mandatory
value: {
register: "test-certificate"
}
}- Response for
register: "test-certificate"
HTTP Status 200 on success, 401 on test error, 400 on error parameters, 500 otherwise
- Request body format for
register: "upload-certificate"
{
username: string, mandatory
scheme_type: "certificate"
scheme_name: string: mandatory
value: {
register: "upload-certificate"
x509: string, a X509 certificate in PEM format
}
}- Response for
register: "upload-certificate"
HTTP Status 200 on success, 400 on error parameters, 500 otherwise
- Request body format for
register: "use-certificate"
This register action uses the certificate currently used in the TLS layer.
{
username: string, mandatory
scheme_type: "certificate"
scheme_name: string: mandatory
value: {
register: "use-certificate"
}
}- Response for
register: "upload-certificate"
HTTP Status 200 on success, 400 on error parameters, 500 otherwise
- Request body format for
register: "request-certificate"
This register action returns a PKCS#12 file in DER format encoded in base64 with a random generated password to unlock the provided file.
{
username: string, mandatory
scheme_type: "certificate"
scheme_name: string: mandatory
value: {
register: "request-certificate"
}
}- Response body format for
register: "request-certificate"
{
p12: string, PKCS#12 file in DER format encoded in base64
password: string, used to unlck the PKCS#12 file
}- Request body format for
register: "toggle-certificate"
This register action enable or disable a registered certificate
{
username: string, mandatory
scheme_type: "certificate"
scheme_name: string: mandatory
value: {
register: "toggle-certificate"
certificate_id: string, a certificate_id registered to the user, mandatory
enabled: boolean, set the status to enabled or disabled for the certificate
}
}- Request body format for
register: "delete-certificate"
This register action deletes a registered certificate
{
username: string, mandatory
scheme_type: "certificate"
scheme_name: string: mandatory
value: {
register: "delete-certificate"
certificate_id: string, a certificate_id registered to the user, mandatory
}
}[
{
credential_id: string, identifier of the certificate
certificate_dn: DN of the certificate
certificate_issuer_dn: DN Of the issuer of the certificate
activation: integer, UNIX Epoch time where the certificate was activated
expiration: integer, UNIX Epoch time where the certificate will expire
last_used: integer, UNIX Epoch time when the certificate was last succesfully used to authenticate a user, optional
last_user_agent: string, value of the user-agent when the certificate was last succesfully used to authenticate a user, optional
enabled: boolean
}
]N/A
{
username: string, optional if option scheme storage is set, mandatory otherwise
scheme_type: "certificate"
scheme_name: string: mandatory
value: {}
}{
username: string, mandatory
scheme_type: "oauth2"
scheme_name: string: mandatory
value: {
action: string, values available are "new", "callback", "delete"
// Other values depending on the register action value
}
}- Request body format for
action: "new"
{
username: string, mandatory
scheme_type: "certificate"
scheme_name: string: mandatory
value: {
action: "new",
provider: string, provider name to register
complete_url: string, uri for registration completion
}
}- Response for
action: "new"
{
redirect_to: string, url to the authorization uri
}HTTP Status 200 on success, 400 on error parameters, 500 otherwise
- Request body format for
action: "callback"
{
username: string, mandatory
scheme_type: "certificate"
scheme_name: string: mandatory
value: {
action: "callback",
provider: string, provider name to register
state: string
redirect_to: string
}
}HTTP Status 200 on success, 400 on error parameters, 500 otherwise
- Request body format for
action: "delete"
{
username: string, mandatory
scheme_type: "certificate"
scheme_name: string: mandatory
value: {
action: "delete",
provider: string, provider name to delete
}
}HTTP Status 200 on success, 400 on error parameters, 500 otherwise
[
{
provider: string, identifier of the provider
logo_uri: string, uri of the provider logo
logo_fa: string, fork-awesome logo name
enabled: boolean
created_at: null
}
]- Get provider list
{
username: string, mandatory
scheme_type: "oauth2"
scheme_name: string: mandatory
value: {
provider_list: true
}
}- Response for
provider_list
[
{
provider: string, identifier of the provider
logo_uri: string, uri of the provider logo
logo_fa: string, fork-awesome logo name
enabled: boolean
created_at: null
}
]- Run authentication flow
{
username: string, optional
scheme_type: "certificate"
scheme_name: string: mandatory
value: {
provider: string, provider name to authenticate
}
}- Response for
action: "new"
{
redirect_to: string, url to the authorization uri
}{
username: string, optional
scheme_type: "certificate"
scheme_name: string: mandatory
value: {
provider: string, provider name to register
state: string
redirect_to: string
}
}HTTP Status 200 on success, 400 on error parameters, 500 otherwise